diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cc5778c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.terraform/
+.terraform.lock.hcl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 7edd3aa..3fc319d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -30,7 +30,7 @@ repos:
# JSON5 Linter
- repo: https://github.com/pre-commit/mirrors-prettier
- rev: v3.1.0
+ rev: v4.0.0-alpha.8
hooks:
- id: prettier
# https://prettier.io/docs/en/options.html#parser
@@ -41,4 +41,54 @@ repos:
rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
- id: terraform_docs
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
+ - id: terraform_tflint
+ name: Terraform validate with tflint
+ description: Validates all Terraform configuration files with TFLint.
+ require_serial: true
+ entry: hooks/terraform_tflint.sh
+ language: script
+ files: (\.tf|\.tfvars)$
+ exclude: \.(terraform/.*|terragrunt-cache)$
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
+ - id: terragrunt_fmt
+ name: Terragrunt fmt
+ description: Rewrites all Terragrunt configuration files to a canonical format.
+ entry: hooks/terragrunt_fmt.sh
+ language: script
+ files: (\.hcl)$
+ exclude: \.(terraform/.*|terragrunt-cache)$
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
+ - id: terragrunt_validate
+ name: Terragrunt validate
+ description: Validates all Terragrunt configuration files.
+ entry: hooks/terragrunt_validate.sh
+ language: script
+ files: (\.hcl)$
+ exclude: \.(terraform/.*|terragrunt-cache)$
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
+ - id: terragrunt_validate_inputs
+ name: Terragrunt validate inputs
+ description: Validates Terragrunt unused and undefined inputs.
+ entry: hooks/terragrunt_validate_inputs.sh
+ language: script
+ files: (\.hcl)$
+ exclude: \.(terraform/.*|terragrunt-cache)$
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
+ - id: terragrunt_providers_lock
+ name: Terragrunt providers lock
+ description: Updates provider signatures in dependency lock files using terragrunt.
+ entry: hooks/terragrunt_providers_lock.sh
+ language: script
+ files: (terragrunt|\.terraform\.lock)\.hcl$
+ exclude: \.(terraform/.*|terragrunt-cache)$
+ args:
+ - --hook-config=--parallelism-ci-cpu-cores=2
diff --git a/.tflint.hcl b/.tflint.hcl
index a4029d7..30b0d2c 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -18,4 +18,12 @@ rule "aws_instance_invalid_type" {
plugin "aws" {
enabled = true
+ version = "0.32.0"
+ source = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+plugin "terraform" {
+ enabled = true
+ version = "0.9.0"
+ source = "github.com/terraform-linters/tflint-ruleset-terraform"
}
diff --git a/README.md b/README.md
index 4acdc5f..14d8883 100644
--- a/README.md
+++ b/README.md
@@ -33,11 +33,8 @@ kube-proxy
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
| [aws](#requirement\_aws) | >= 5.14.0 |
-| [cloudinit](#requirement\_cloudinit) | >= 2.3.2 |
-| [http](#requirement\_http) | >= 3.4.0 |
+| [kubernetes](#requirement\_kubernetes) | >= 2.31.0 |
| [null](#requirement\_null) | >= 3.2.1 |
-| [time](#requirement\_time) | >= 0.9.1 |
-| [tls](#requirement\_tls) | >= 4.0.4 |
## Providers
@@ -55,7 +52,6 @@ kube-proxy
| Name | Source | Version |
|------|--------|---------|
| [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.20.0 |
-| [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
| [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
| [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
@@ -64,8 +60,8 @@ kube-proxy
| Name | Type |
|------|------|
-| [aws_ec2_tag.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
-| [aws_ec2_tag.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
+| [aws_ec2_tag.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
| [aws_route53_vpc_association_authorization.self_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
| [aws_route53_vpc_association_authorization.self_zone_east](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource |
| [aws_route53_zone.cluster_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
@@ -82,10 +78,9 @@ kube-proxy
| [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
| [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_route53_zone.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
| [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
-| [aws_subnets.container-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [aws_subnets.lb-subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_subnets.lb_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_vpc.dummy_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
| [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -94,9 +89,6 @@ kube-proxy
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
-| [account\_id](#input\_account\_id) | AWS account id | `string` | `""` | no |
-| [aws\_environment](#input\_aws\_environment) | AWS Environment (govcloud \| east-west) | `string` | `""` | no |
| [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | [
"148.129.0.0/16",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no |
| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | This allows to access the cluster from IEB cloud host | `bool` | `false` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
@@ -108,8 +100,6 @@ kube-proxy
| [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Node Group minimum size | `number` | `4` | no |
| [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | `bool` | `false` | no |
| [lb\_subnets\_name](#input\_lb\_subnets\_name) | Define the name of the subnets to be used by this cluster | `string` | `"*-private-lb-*"` | no |
-| [main\_dns\_profile](#input\_main\_dns\_profile) | Profile name for AWS for the main DNS central account | `string` | `"269244441389-lab-gov-network-nonprod"` | no |
-| [main\_dns\_vpcs](#input\_main\_dns\_vpcs) | Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS | `map(string)` | {
"us-gov-east-1": "vpc-070595c5b133243dd",
"us-gov-west-1": "vpc-08b7b4db6a5ddf9c1"
} | no |
| [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
| [os\_username](#input\_os\_username) | OS username from environment variable, ideally as $USER | `string` | `null` | no |
| [profile](#input\_profile) | AWS config profile | `string` | `""` | no |
@@ -157,7 +147,7 @@ kube-proxy
| [kms\_key\_policy](#output\_kms\_key\_policy) | The IAM resource policy set on the key |
| [module\_name](#output\_module\_name) | The name of this module. |
| [module\_version](#output\_module\_version) | The version of this module. |
-| [node\_group\_name](#output\_node\_group\_name) | ############################################################################### Additional ############################################################################### output "cluster\_autoscaler\_role\_name" { value = module.cluster\_autoscaler\_irsa\_role.iam\_role\_name } |
+| [node\_group\_name](#output\_node\_group\_name) | name of the node group created for use by karpenter |
| [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
| [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| [oidc\_provider](#output\_oidc\_provider) | The OpenID Connect identity provider (issuer URL without leading `https://`) |
diff --git a/aws_data.tf b/aws_data.tf
index 7dead47..fb1697a 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -5,34 +5,3 @@ data "aws_region" "current" {}
data "aws_arn" "current" {
arn = data.aws_caller_identity.current.arn
}
-data "aws_subnets" "container-subnets" {
- filter {
- name = "tag:Name"
- values = [local.container_subnets_name]
- }
- filter {
- name = "vpc-id"
- values = [data.aws_vpc.eks_vpc.id]
- }
-}
-data "aws_subnets" "lb-subnets" {
- filter {
- name = "tag:Name"
- values = [local.lb_subnets_name]
- }
- filter {
- name = "vpc-id"
- values = [data.aws_vpc.eks_vpc.id]
- }
-}
-locals {
- container_subnets_name = var.subnets_name
- lb_subnets_name = var.lb_subnets_name
- base_arn = format("arn:%v:%%v:%v:%v:%%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
- iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
- common_arn = format("arn:%v:%%v:%v:%v:%%v",
- data.aws_arn.current.partition,
- data.aws_region.current.name,
- data.aws_caller_identity.current.account_id)
-
-}
diff --git a/dns_zones.tf b/dns_zones.tf
index 34f087a..195e03a 100644
--- a/dns_zones.tf
+++ b/dns_zones.tf
@@ -1,11 +1,35 @@
#-------------------------------------------------
# DNS Zone for EKS
#-------------------------------------------------
+
+#-------------------------------------------------
+# Locals
+#-------------------------------------------------
+data "aws_subnets" "container_subnets" {
+ filter {
+ name = "tag:Name"
+ values = [local.container_subnets_name]
+ }
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.eks_vpc.id]
+ }
+}
+data "aws_subnets" "lb_subnets" {
+ filter {
+ name = "tag:Name"
+ values = [local.lb_subnets_name]
+ }
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.eks_vpc.id]
+ }
+}
locals {
+ container_subnets_name = var.subnets_name
+ lb_subnets_name = var.lb_subnets_name
cluster_domain_name = format("%v.%v", var.cluster_name, var.vpc_domain_name)
cluster_domain_description = format("%v EKS Cluster DNS Zone", var.cluster_name)
- account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
- region_short = join("", [for c in split("-", var.region) : substr(c, 0, 1)])
zone_ids = compact(var.zone_ids)
}
#-------------------------------------------------
@@ -31,6 +55,7 @@ provider "aws" {
provider "aws" {
alias = "self"
+ # Commented as in testing we are assuming this role already
# assume_role {
# role_arn = format("arn:%v:iam::%v:role/r-inf-terraform", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
# session_name = var.os_username
@@ -77,16 +102,6 @@ resource "aws_route53_zone_association" "self_zone_east" {
depends_on = [aws_route53_vpc_association_authorization.self_zone]
}
-#---
-# zone list
-#---
-data "aws_route53_zone" "zones" {
- provider = aws.self
- for_each = toset(local.zone_ids)
- zone_id = each.key
- private_zone = true
-}
-
resource "aws_route53_zone" "cluster_domain" {
name = local.cluster_domain_name
comment = local.cluster_domain_description
@@ -121,10 +136,6 @@ data "aws_vpc" "dummy_vpc" {
name = "tag:Name"
values = ["vpc0-dummy"]
}
- # filter {
- # name = "tag:eks-cluster-name"
- # values = [var.cluster_name]
- # }
}
resource "aws_vpc" "vpc" {
@@ -136,18 +147,19 @@ resource "aws_vpc" "vpc" {
{ "Name" = "vpc0-dummy" },
)
}
+
# Tag existing subnets for EKS
# Container subnets under data.aws_subnets.container-subnets
# Load Balance subnets under data.aws_subnets.lb-subnets
-resource "aws_ec2_tag" "container-subnets" {
- for_each = toset(data.aws_subnets.container-subnets.ids)
+resource "aws_ec2_tag" "container_subnets" {
+ for_each = toset(data.aws_subnets.container_subnets.ids)
resource_id = each.value
key = "kubernetes.io/cluster/${var.cluster_name}"
value = "shared"
}
-resource "aws_ec2_tag" "lb-subnets" {
- for_each = toset(data.aws_subnets.lb-subnets.ids)
+resource "aws_ec2_tag" "lb_subnets" {
+ for_each = toset(data.aws_subnets.lb_subnets.ids)
resource_id = each.value
key = "kubernetes.io/role/internal-nlb"
value = "1"
diff --git a/examples/simple/eks.tf b/examples/simple/eks.tf
index 5a851d1..48b55c5 100644
--- a/examples/simple/eks.tf
+++ b/examples/simple/eks.tf
@@ -1,6 +1,5 @@
module "eks" {
- source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//"
- #source = "git@github.it.census.gov:SOA/tfmod-eks.git//?ref=v1.0.0"
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=1.0.1"
vpc_name = var.vpc_name
diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf
index ce03e7a..c4b7c92 100644
--- a/examples/simple/providers.tf
+++ b/examples/simple/providers.tf
@@ -1,7 +1,15 @@
terraform {
required_version = ">= 1.5.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.14.0"
+ }
+ }
}
+
provider "aws" {
profile = var.profile
region = var.region
diff --git a/examples/testing/eks.tf b/examples/testing/eks.tf
index 5c958ce..f5c3f2f 100644
--- a/examples/testing/eks.tf
+++ b/examples/testing/eks.tf
@@ -1,5 +1,4 @@
module "eks" {
- # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git//"
source = "../.."
vpc_name = var.vpc_name
diff --git a/examples/testing/providers.tf b/examples/testing/providers.tf
index ce03e7a..d88db95 100644
--- a/examples/testing/providers.tf
+++ b/examples/testing/providers.tf
@@ -1,5 +1,12 @@
terraform {
required_version = ">= 1.5.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.14.0"
+ }
+ }
}
provider "aws" {
diff --git a/irsa_roles.tf b/irsa_roles.tf
index db5a487..52754d7 100644
--- a/irsa_roles.tf
+++ b/irsa_roles.tf
@@ -1,3 +1,4 @@
+# tflint-ignore: terraform_module_version
module "vpc_cni_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
@@ -15,6 +16,7 @@ module "vpc_cni_irsa_role" {
tags = local.tags
}
+# tflint-ignore: terraform_module_version
module "ebs_csi_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
@@ -30,6 +32,7 @@ module "ebs_csi_irsa_role" {
tags = local.tags
}
+# tflint-ignore: terraform_module_version
module "efs_csi_irsa_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
@@ -44,21 +47,3 @@ module "efs_csi_irsa_role" {
}
tags = local.tags
}
-
-module "cluster_autoscaler_irsa_role" {
- source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
- role_name = "${var.cluster_name}-cluster-autoscaler"
-
- attach_cluster_autoscaler_policy = true
-
- cluster_autoscaler_cluster_names = [module.cluster.cluster_name]
-
- oidc_providers = {
- main = {
- provider_arn = module.cluster.oidc_provider_arn
- namespace_service_accounts = ["kube-system:cluster-autoscaler"]
- }
- }
- tags = local.tags
-}
diff --git a/main.tf b/main.tf
index 7e80e18..fead34b 100644
--- a/main.tf
+++ b/main.tf
@@ -34,7 +34,8 @@ locals {
base_tags = {
"eks-cluster-name" = var.cluster_name
- "boc:tf_module_version" = local._module_version
+ "boc:tf_module_name" = local.module_name
+ "boc:tf_module_version" = local.module_version
"boc:created_by" = "terraform"
CostAllocation = var.tag_costallocation
}
@@ -44,7 +45,7 @@ locals {
# 'nlb-policy' = aws_iam_policy.nlb-policy.arn
}
- ng_name = format("%v%v-nodegroup", local._prefixes["eks"], var.cluster_name)
+ ng_name = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
tags = merge(local.base_tags, var.tags)
@@ -73,7 +74,6 @@ locals {
module "cluster" {
source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.20.0"
- #version = "19.16.0"
cluster_name = var.cluster_name
cluster_version = var.cluster_version
diff --git a/outputs.tf b/outputs.tf
index 5db8b1a..15bc115 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -8,12 +8,12 @@
output "module_name" {
description = "The name of this module."
- value = local._module_name
+ value = local.module_name
}
output "module_version" {
description = "The version of this module."
- value = local._module_version
+ value = local.module_version
}
################################################################################
@@ -281,5 +281,6 @@ output "self_managed_node_groups_autoscaling_group_names" {
# value = module.cluster_autoscaler_irsa_role.iam_role_name
# }
output "node_group_name" {
- value = local.ng_name
+ description = "name of the node group created for use by karpenter"
+ value = local.ng_name
}
diff --git a/prefixes.tf b/prefixes.tf
index 03303f1..f677e0a 100644
--- a/prefixes.tf
+++ b/prefixes.tf
@@ -1,5 +1,5 @@
locals {
- _prefixes = {
+ prefixes = {
"efs" = "v-efs-"
"s3" = "v-s3-"
"ebs" = "v-ebs-"
diff --git a/requirements.tf b/requirements.tf
index 1bc9dda..958be0a 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -6,25 +6,13 @@ terraform {
source = "hashicorp/aws"
version = ">= 5.14.0"
}
- cloudinit = {
- source = "hashicorp/cloudinit"
- version = ">= 2.3.2"
- }
- http = {
- source = "hashicorp/http"
- version = ">= 3.4.0"
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = ">= 2.31.0"
}
null = {
source = "hashicorp/null"
version = ">= 3.2.1"
}
- time = {
- source = "hashicorp/time"
- version = ">= 0.9.1"
- }
- tls = {
- source = "hashicorp/tls"
- version = ">= 4.0.4"
- }
}
}
diff --git a/security_groups.tf b/security_groups.tf
index 0dc3ded..6683944 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -1,7 +1,7 @@
locals {
- all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local._prefixes["eks-security-group"], var.cluster_name)
- additional_eks_cluster_sg_name = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name)
+ all_worker_mgmt_name = format("%v%v-all-worker-mgmt", local.prefixes["eks-security-group"], var.cluster_name)
+ additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name)
}
resource "aws_security_group" "all_worker_mgmt" {
diff --git a/sg_ports.tf b/sg_ports.tf
index 22ccfeb..8f9201c 100644
--- a/sg_ports.tf
+++ b/sg_ports.tf
@@ -1,56 +1,56 @@
locals {
node_security_group_additional_rules = {
- "ingress_nodes_ephemeral" = {
- "description" = "Node to node ingress on ephemeral ports"
- "from_port" = 80
- "protocol" = "tcp"
- "self" = true
- "to_port" = 65535
- "type" = "ingress"
+ ingress_nodes_ephemeral = {
+ description = "Node to node ingress on ephemeral ports"
+ from_port = 80
+ protocol = "tcp"
+ self = true
+ to_port = 65535
+ type = "ingress"
}
# metrics-server
ingress_cluster_4443_webhook = {
description = "Cluster API to node 4443/tcp webhook"
- protocol = "tcp"
from_port = 4443
+ protocol = "tcp"
+ source_cluster_security_group = true
to_port = 4443
type = "ingress"
- source_cluster_security_group = true
}
# prometheus-adapter
ingress_cluster_6443_webhook = {
description = "Cluster API to node 6443/tcp webhook"
- protocol = "tcp"
from_port = 6443
+ protocol = "tcp"
+ source_cluster_security_group = true
to_port = 6443
type = "ingress"
- source_cluster_security_group = true
}
# Karpenter
ingress_cluster_8443_webhook = {
description = "Cluster API to node 8443/tcp webhook"
- protocol = "tcp"
from_port = 8443
+ protocol = "tcp"
+ source_cluster_security_group = true
to_port = 8443
type = "ingress"
- source_cluster_security_group = true
}
# ALB controller, NGINX
ingress_cluster_9443_webhook = {
description = "Cluster API to node 9443/tcp webhook"
- protocol = "tcp"
from_port = 9443
+ protocol = "tcp"
+ source_cluster_security_group = true
to_port = 9443
type = "ingress"
- source_cluster_security_group = true
}
egress_all = {
+ cidr_blocks = ["0.0.0.0/0"]
description = "Allow all egress"
- protocol = "-1"
from_port = 0
+ protocol = "-1"
to_port = 0
type = "egress"
- cidr_blocks = ["0.0.0.0/0"]
# ipv6_cidr_blocks = var.cluster_ip_family == "ipv6" ? ["::/0"] : null
}
}
diff --git a/terragrunt.hcl b/terragrunt.hcl
new file mode 100644
index 0000000..676bf73
--- /dev/null
+++ b/terragrunt.hcl
@@ -0,0 +1,88 @@
+# include "root" {
+# path = find_in_parent_folders()
+# expose = true
+# }
+
+locals {
+ # account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+ # region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+ # In which AWS region are operations being performed
+ # account_id = local.account_vars.locals.aws_account_id
+ account_id = 123456789012
+ # region = local.region_vars.locals.aws_region
+ region = "us-gov-east-1"
+ vpc_name = "vpc3-lab-dev"
+ cluster_name = "example-cluster"
+ cluster_version = "1.30"
+ vpc_domain_name = "dev.lab.csp2.census.gov"
+ eks_instance_disk_size = 100
+ eks_vpc_name = "vpc3-lab-dev"
+ eks_ng_desired_size = 1
+ eks_ng_max_size = 10
+ eks_ng_min_size = 1
+ operators_ns = "operators"
+ enable_cluster_creator_admin_permissions = true
+ cluster_endpoint_public_access = true
+ profile = "224384469011-lab-dev-gov"
+ cluster_mailing_list = "csvd@census.gov"
+
+ # Tags applied to AWS objects created
+ tags = {
+ "Environment" = "dev"
+ "slim:schedule" = "8:00-17:00"
+ "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}"
+ }
+
+ # aws_auth_roles = [
+ # {
+ # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t3_b200ae7af469cdc8"
+ # aws_rolename : ""
+ # username : "admin"
+ # groups = ["system:masters"]
+ # },
+ # {
+ # rolearn : "arn:aws-us-gov:iam::224384469011:role/r-inf-terraform"
+ # aws_rolename : ""
+ # username : "admin"
+ # groups = ["system:masters"]
+ # },
+ # {
+ # rolearn : "arn:aws-us-gov:iam::224384469011:role/AWSReservedSSO_inf-admin-t2_f3912d726991bbfa"
+ # aws_rolename : ""
+ # username : "admin"
+ # groups = ["system:masters"]
+ # }
+ # ]
+}
+
+terraform {
+ source = "../tfmod-eks"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20m"]
+ }
+}
+
+inputs = {
+ # aws_account_id = local.account_id
+ profile = local.profile
+ vpc_name = local.eks_vpc_name
+ cluster_name = local.cluster_name
+ cluster_version = local.cluster_version
+ eks_instance_disk_size = local.eks_instance_disk_size
+ # eks_vpc_name = local.eks_vpc_name
+ # eks_instance_types = local.eks_instance_types
+ eks_ng_desired_size = local.eks_ng_desired_size
+ eks_ng_max_size = local.eks_ng_max_size
+ eks_ng_min_size = local.eks_ng_min_size
+ operators_ns = local.operators_ns
+ enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions
+ cluster_endpoint_public_access = local.cluster_endpoint_public_access
+ tags = local.tags
+ # aws_auth_roles = local.aws_auth_roles
+ vpc_domain_name = local.vpc_domain_name
+ region = local.region
+ # creator = local.cluster_mailing_list
+ os_username = local.cluster_mailing_list
+ shared_vpc_label = "dev"
+}
diff --git a/variables.tf b/variables.tf
index 2481239..c23678d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -79,12 +79,6 @@ variable "operators_ns" {
default = "operators"
}
-variable "access_entries" {
- description = "Map of access entries to add to the cluster"
- type = any
- default = {}
-}
-
###################################################################
# Common variables
###################################################################
@@ -113,24 +107,12 @@ variable "profile" {
default = ""
}
-variable "account_id" {
- description = "AWS account id"
- type = string
- default = ""
-}
-
variable "region" {
description = "AWS config region"
type = string
default = ""
}
-variable "aws_environment" {
- description = "AWS Environment (govcloud | east-west)"
- type = string
- default = ""
-}
-
variable "os_username" {
description = "OS username from environment variable, ideally as $USER"
type = string
@@ -141,20 +123,6 @@ variable "os_username" {
# DNS variables
###################################################################
-variable "main_dns_vpcs" {
- description = "Map of region and VPC ids of the vpc1-services in us-gov-west-1 and us-gov-east-1 for centralized DNS"
- type = map(string)
- default = {
- "us-gov-east-1" = "vpc-070595c5b133243dd"
- "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1"
- }
-}
-
-variable "main_dns_profile" {
- description = "Profile name for AWS for the main DNS central account"
- type = string
- default = "269244441389-lab-gov-network-nonprod"
-}
variable "shared_vpc_label" {
description = "Label to use for shared VPC for flowlogs and other things"
diff --git a/version.tf b/version.tf
index 96080a9..932356f 100644
--- a/version.tf
+++ b/version.tf
@@ -1,4 +1,4 @@
locals {
- _module_name = "tfmod-eks"
- _module_version = "0.0.4"
+ module_name = "tfmod-eks"
+ module_version = "0.0.4"
}